diff --git a/terraform/.header.md b/terraform/.header.md
deleted file mode 100644
index 1fe5a09ddaba..000000000000
--- a/terraform/.header.md
+++ /dev/null
@@ -1,48 +0,0 @@
-This module provides a basic Fleet setup. This assumes that you bring nothing to the installation.
-If you want to bring your own VPC/database/cache nodes/ECS cluster, then use one of the submodules provided.
-
-To quickly list all available module versions you can run:
-```shell
-git tag |grep '^tf'
-```
-
-The following is the module layout, so you can navigate to the module that you want:
-
-* Root module (use this to get a Fleet instance ASAP with minimal setup)
- * BYO-VPC (use this if you want to install Fleet inside an existing VPC)
- * BYO-database (use this if you want to use an existing database and cache node)
- * BYO-ECS (use this if you want to bring your own everything but Fleet ECS services)
-
-# Migrating from existing Dogfood code
-The below code describes how to migrate from existing Dogfood code
-
-```hcl
-moved {
- from = module.vpc
- to = module.main.module.vpc
-}
-
-moved {
- from = module.aurora_mysql
- to = module.main.module.byo-vpc.module.rds
-}
-
-moved {
- from = aws_elasticache_replication_group.default
- to = module.main.module.byo-vpc.module.redis.aws_elasticache_replication_group.default
-}
-```
-
-This focuses on the resources that are "heavy" or store data. Note that the ALB cannot be moved like this because Dogfood uses the `aws_alb` resource and the module uses the `aws_lb` resource. The resources are aliases of eachother, but Terraform can't recognize that.
-
-# How to improve this module
-If this module somehow doesn't fit your needs, feel free to contact us by
-opening a ticket, or contacting your contact at Fleet. Our goal is to make this module
-fit all needs within AWS, so we will try to find a solution so that this module fits your needs.
-
-If you want to make the changes yourself, simply make a PR into main with your additions.
-We would ask that you make sure that variables are defined as null if there is
-no default that makes sense and that variable changes are reflected all the way up the stack.
-
-# How to update this readme
-Edit .header.md and run `terraform-docs markdown . > README.md`
diff --git a/terraform/README.md b/terraform/README.md
index 243586d48509..5291012763e4 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -1,89 +1,13 @@
-This module provides a basic Fleet setup. This assumes that you bring nothing to the installation.
-If you want to bring your own VPC/database/cache nodes/ECS cluster, then use one of the submodules provided.
+# Moved
-To quickly list all available module versions you can run:
-```shell
-git tag |grep '^tf'
-```
-
-The following is the module layout, so you can navigate to the module that you want:
-
-* Root module (use this to get a Fleet instance ASAP with minimal setup)
- * BYO-VPC (use this if you want to install Fleet inside an existing VPC)
- * BYO-database (use this if you want to use an existing database and cache node)
- * BYO-ECS (use this if you want to bring your own everything but Fleet ECS services)
+The Fleet Terraform Modules have moved to [here](https://github.com/fleetdm/fleet-terraform).
-# Migrating from existing Dogfood code
-The below code describes how to migrate from existing Dogfood code
+The tags for all legacy versions of modules are still available by their named versions.
-```hcl
-moved {
- from = module.vpc
- to = module.main.module.vpc
-}
+The repo can be searched for these by via the following command:
-moved {
- from = module.aurora_mysql
- to = module.main.module.byo-vpc.module.rds
-}
-
-moved {
- from = aws_elasticache_replication_group.default
- to = module.main.module.byo-vpc.module.redis.aws_elasticache_replication_group.default
-}
+```
+git tag | grep tf-mod
```
-This focuses on the resources that are "heavy" or store data. Note that the ALB cannot be moved like this because Dogfood uses the `aws_alb` resource and the module uses the `aws_lb` resource. The resources are aliases of eachother, but Terraform can't recognize that.
-
-# How to improve this module
-If this module somehow doesn't fit your needs, feel free to contact us by
-opening a ticket, or contacting your contact at Fleet. Our goal is to make this module
-fit all needs within AWS, so we will try to find a solution so that this module fits your needs.
-
-If you want to make the changes yourself, simply make a PR into main with your additions.
-We would ask that you make sure that variables are defined as null if there is
-no default that makes sense and that variable changes are reflected all the way up the stack.
-
-# How to update this readme
-Edit .header.md and run `terraform-docs markdown . > README.md`
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.8 |
-
-## Providers
-
-No providers.
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [byo-vpc](#module\_byo-vpc) | ./byo-vpc | n/a |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.1.2 |
-
-## Resources
-
-No resources.
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [alb\_config](#input\_alb\_config) | n/a |
| no |
-| [fleet\_config](#input\_fleet\_config) | The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. |
| no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [byo-vpc](#output\_byo-vpc) | n/a |
-| [vpc](#output\_vpc) | n/a |
+All names and versions will be visible.
diff --git a/terraform/addons/README.md b/terraform/addons/README.md
deleted file mode 100644
index c6b805fd621f..000000000000
--- a/terraform/addons/README.md
+++ /dev/null
@@ -1,2 +0,0 @@
-This directory contains addons to the core Fleet module that add additional features such as logging destinations, or other features that some customers might not want.
-These can be included and used as desired.
diff --git a/terraform/addons/byo-file-carving/carving/.header.md b/terraform/addons/byo-file-carving/carving/.header.md
deleted file mode 100644
index c3aec75907c6..000000000000
--- a/terraform/addons/byo-file-carving/carving/.header.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# S3 File Carving backend
-
-This module creates the necessary IAM role for Fleet to attach when it's running in server mode.
-
-It also exports the `fleet_extra_environment_variables` to configure Fleet server to use S3 as the backing carve results store.
-
-Usage typically looks like:
-
-```terraform
-fleet_config = {
- extra_environment_variables = merge(
- local.extra_environment_variables,
- module.carving.fleet_extra_environment_variables
- )
-}
-```
\ No newline at end of file
diff --git a/terraform/addons/byo-file-carving/carving/.terraform-docs.yml b/terraform/addons/byo-file-carving/carving/.terraform-docs.yml
deleted file mode 100644
index 1d139ddb401d..000000000000
--- a/terraform/addons/byo-file-carving/carving/.terraform-docs.yml
+++ /dev/null
@@ -1 +0,0 @@
-header-from: .header.md
diff --git a/terraform/addons/byo-file-carving/carving/README.md b/terraform/addons/byo-file-carving/carving/README.md
deleted file mode 100644
index 8958b8469bdc..000000000000
--- a/terraform/addons/byo-file-carving/carving/README.md
+++ /dev/null
@@ -1,54 +0,0 @@
-# S3 File Carving backend
-
-This module creates the necessary IAM role for Fleet to attach when it's running in server mode.
-
-It also exports the `fleet_extra_environment_variables` to configure Fleet server to use S3 as the backing carve results store.
-
-Usage typically looks like:
-
-```terraform
-fleet_config = {
- extra_environment_variables = merge(
- local.extra_environment_variables,
- module.carving.fleet_extra_environment_variables
- )
-}
-```
-
-## Requirements
-
-No requirements.
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_document.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [iam\_role\_arn](#input\_iam\_role\_arn) | IAM Role ARN to assume into for file carving uploads to S3 | `string` | n/a | yes |
-| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The S3 bucket for carve results to be written to | `string` | n/a | yes |
-| [s3\_bucket\_region](#input\_s3\_bucket\_region) | The S3 bucket region | `string` | n/a | yes |
-| [s3\_carve\_prefix](#input\_s3\_carve\_prefix) | The S3 object prefix to use when storing carve results | `string` | `""` | no |
-| [sts\_external\_id](#input\_sts\_external\_id) | Optional unique identifier that can be used by the principal assuming the role to assert its identity. | `string` | `""` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
-| [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
diff --git a/terraform/addons/byo-file-carving/carving/iam.tf b/terraform/addons/byo-file-carving/carving/iam.tf
deleted file mode 100644
index d394ab86ae6a..000000000000
--- a/terraform/addons/byo-file-carving/carving/iam.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-data "aws_iam_policy_document" "fleet-assume-role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- resources = [var.iam_role_arn]
- }
-}
-
-resource "aws_iam_policy" "fleet-assume-role" {
- policy = data.aws_iam_policy_document.fleet-assume-role.json
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-file-carving/carving/outputs.tf b/terraform/addons/byo-file-carving/carving/outputs.tf
deleted file mode 100644
index 3622e7dfd693..000000000000
--- a/terraform/addons/byo-file-carving/carving/outputs.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-output "fleet_extra_environment_variables" {
- value = {
- FLEET_S3_CARVES_STS_ASSUME_ROLE_ARN = var.iam_role_arn
- FLEET_S3_CARVES_STS_EXTERNAL_ID = var.sts_external_id
- FLEET_S3_CARVES_BUCKET = var.s3_bucket_name
- FLEET_S3_CARVES_REGION = var.s3_bucket_region
- FLEET_S3_CARVES_PREFIX = var.s3_carve_prefix
- }
-}
-
-output "fleet_extra_iam_policies" {
- value = [
- aws_iam_policy.fleet-assume-role.arn
- ]
-}
diff --git a/terraform/addons/byo-file-carving/carving/variables.tf b/terraform/addons/byo-file-carving/carving/variables.tf
deleted file mode 100644
index 054e72fe7bec..000000000000
--- a/terraform/addons/byo-file-carving/carving/variables.tf
+++ /dev/null
@@ -1,26 +0,0 @@
-variable "iam_role_arn" {
- type = string
- description = "IAM Role ARN to assume into for file carving uploads to S3"
-}
-
-variable "sts_external_id" {
- type = string
- description = "Optional unique identifier that can be used by the principal assuming the role to assert its identity."
- default = ""
-}
-
-variable "s3_bucket_name" {
- type = string
- description = "The S3 bucket for carve results to be written to"
-}
-
-variable "s3_bucket_region" {
- type = string
- description = "The S3 bucket region"
-}
-
-variable "s3_carve_prefix" {
- type = string
- description = "The S3 object prefix to use when storing carve results"
- default = ""
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-file-carving/target-account/.header.md b/terraform/addons/byo-file-carving/target-account/.header.md
deleted file mode 100644
index 29dd41664bcd..000000000000
--- a/terraform/addons/byo-file-carving/target-account/.header.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# AWS S3 File Carving Infrastructure
-
-This Terraform configuration sets up the necessary resources for a secure file carving infrastructure in AWS. File carving is a significant capability for security and forensic analysis, enabling organizations to extract and analyze the content of files from their endpoints.
-
-## Overview of Resources
-
-The resources configured in this Terraform script include:
-
-- **AWS Key Management Service (KMS) Key**: A customer-managed KMS key is created to provide server-side encryption for the S3 bucket where carved files will be stored. The policy attached to this key grants full KMS permissions to the AWS account's root user.
-
-- **Amazon S3 Bucket**: An S3 bucket is provisioned to act as the central repository for storing the results of the file carving process. The bucket is named according to the provided variable `var.bucket_name`.
-
-- **S3 Bucket Server-Side Encryption Configuration**: This resource configures server-side encryption for the S3 bucket, specifying the custom-created KMS key as the master key for encrypting objects stored in the bucket.
-
-- **IAM Policy**: An IAM policy is created to enable specific access to the S3 bucket. This policy is defined via a detailed policy document which grants permissions to perform various actions essential for managing the file carving process. Actions include object retrieval (`GetObject*`), object creation (`PutObject*`), listing the bucket (`ListBucket*`), and managing multipart uploads. It also allows for certain KMS actions necessary for encrypting and decrypting the stored data.
-
-- **IAM Role**: An IAM role (`aws_iam_role`) is provisioned with a trust relationship policy that permits an external entity, specified by `var.fleet_iam_role_arn`, to assume the role. This allows secure access to the S3 bucket and KMS key based on assuming roles across AWS accounts or services.
-
-- **IAM Role Policy Attachment**: This attachment links the previously created IAM policy to the IAM role, ensuring that the permissions are in effect when the role is assumed by the external entity.
-
-## Usage
-
-To use this Terraform configuration, ensure that you have Terraform installed and configured with the necessary AWS credentials. You should define the `bucket_name` and `fleet_iam_role_arn` variables according to your organization's requirements before applying the Terraform plan.
-
-This infrastructure enables secure storage and access for file carving results, facilitating forensic analysis and the capability to respond to security incidents effectively.
diff --git a/terraform/addons/byo-file-carving/target-account/.terraform-docs.yml b/terraform/addons/byo-file-carving/target-account/.terraform-docs.yml
deleted file mode 100644
index 1d139ddb401d..000000000000
--- a/terraform/addons/byo-file-carving/target-account/.terraform-docs.yml
+++ /dev/null
@@ -1 +0,0 @@
-header-from: .header.md
diff --git a/terraform/addons/byo-file-carving/target-account/README.md b/terraform/addons/byo-file-carving/target-account/README.md
deleted file mode 100644
index 456dfd077e72..000000000000
--- a/terraform/addons/byo-file-carving/target-account/README.md
+++ /dev/null
@@ -1,71 +0,0 @@
-# AWS S3 File Carving Infrastructure
-
-This Terraform configuration sets up the necessary resources for a secure file carving infrastructure in AWS. File carving is a significant capability for security and forensic analysis, enabling organizations to extract and analyze the content of files from their endpoints.
-
-## Overview of Resources
-
-The resources configured in this Terraform script include:
-
-- **AWS Key Management Service (KMS) Key**: A customer-managed KMS key is created to provide server-side encryption for the S3 bucket where carved files will be stored. The policy attached to this key grants full KMS permissions to the AWS account's root user.
-
-- **Amazon S3 Bucket**: An S3 bucket is provisioned to act as the central repository for storing the results of the file carving process. The bucket is named according to the provided variable `var.bucket_name`.
-
-- **S3 Bucket Server-Side Encryption Configuration**: This resource configures server-side encryption for the S3 bucket, specifying the custom-created KMS key as the master key for encrypting objects stored in the bucket.
-
-- **IAM Policy**: An IAM policy is created to enable specific access to the S3 bucket. This policy is defined via a detailed policy document which grants permissions to perform various actions essential for managing the file carving process. Actions include object retrieval (`GetObject*`), object creation (`PutObject*`), listing the bucket (`ListBucket*`), and managing multipart uploads. It also allows for certain KMS actions necessary for encrypting and decrypting the stored data.
-
-- **IAM Role**: An IAM role (`aws_iam_role`) is provisioned with a trust relationship policy that permits an external entity, specified by `var.fleet_iam_role_arn`, to assume the role. This allows secure access to the S3 bucket and KMS key based on assuming roles across AWS accounts or services.
-
-- **IAM Role Policy Attachment**: This attachment links the previously created IAM policy to the IAM role, ensuring that the permissions are in effect when the role is assumed by the external entity.
-
-## Usage
-
-To use this Terraform configuration, ensure that you have Terraform installed and configured with the necessary AWS credentials. You should define the `bucket_name` and `fleet_iam_role_arn` variables according to your organization's requirements before applying the Terraform plan.
-
-This infrastructure enables secure storage and access for file carving results, facilitating forensic analysis and the capability to respond to security incidents effectively.
-
-## Requirements
-
-No requirements.
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.carve_s3_delegation_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.s3_access_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kms_key.s3_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_s3_bucket.carve_results_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_public_access_block.carve_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.sse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [bucket\_name](#input\_bucket\_name) | The name of the osquery carve results bucket | `string` | n/a | yes |
-| [fleet\_iam\_role\_arn](#input\_fleet\_iam\_role\_arn) | The IAM role ARN of the Fleet service | `string` | n/a | yes |
-| [sts\_external\_id](#input\_sts\_external\_id) | Optional unique identifier that can be used by the principal assuming the role to assert its identity. | `string` | `""` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [iam\_role\_arn](#output\_iam\_role\_arn) | n/a |
-| [s3\_bucket\_name](#output\_s3\_bucket\_name) | n/a |
-| [s3\_bucket\_region](#output\_s3\_bucket\_region) | n/a |
diff --git a/terraform/addons/byo-file-carving/target-account/outputs.tf b/terraform/addons/byo-file-carving/target-account/outputs.tf
deleted file mode 100644
index 870d749f3c46..000000000000
--- a/terraform/addons/byo-file-carving/target-account/outputs.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-output "iam_role_arn" {
- value = aws_iam_role.carve_s3_delegation_role.arn
-}
-
-output "s3_bucket_name" {
- value = aws_s3_bucket.carve_results_bucket.id
-}
-
-output "s3_bucket_region" {
- value = aws_s3_bucket.carve_results_bucket.region
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-file-carving/target-account/s3.tf b/terraform/addons/byo-file-carving/target-account/s3.tf
deleted file mode 100644
index a3e4dd53aa1d..000000000000
--- a/terraform/addons/byo-file-carving/target-account/s3.tf
+++ /dev/null
@@ -1,112 +0,0 @@
-data "aws_caller_identity" "current" {}
-
-# IAM policy document for the KMS key
-data "aws_iam_policy_document" "kms_key_policy" {
- statement {
- sid = "Enable IAM User Permissions"
- actions = ["kms:*"]
- resources = ["*"]
- principals {
- type = "AWS"
- identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
- }
- }
-}
-
-# Create a KMS key for encrypting the S3 bucket
-resource "aws_kms_key" "s3_encryption_key" {
- description = "KMS key for S3 bucket encryption"
- is_enabled = true
- policy = data.aws_iam_policy_document.kms_key_policy.json
-}
-
-# Create an S3 bucket with server-side encryption using the customer-managed key
-resource "aws_s3_bucket" "carve_results_bucket" {
- bucket = var.bucket_name
-}
-
-resource "aws_s3_bucket_public_access_block" "carve_results" {
- bucket = aws_s3_bucket.carve_results_bucket.id
-
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "sse" {
- bucket = aws_s3_bucket.carve_results_bucket.id
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "aws:kms"
- kms_master_key_id = aws_kms_key.s3_encryption_key.key_id
- }
- }
-}
-
-# Create an IAM policy which allows the necessary S3 actions
-resource "aws_iam_policy" "s3_access_policy" {
- name = "s3_access_policy"
- policy = data.aws_iam_policy_document.s3_policy.json
-}
-
-# IAM policy document
-data "aws_iam_policy_document" "s3_policy" {
- statement {
- actions = [
- "s3:GetObject*",
- "s3:PutObject*",
- "s3:ListBucket*",
- "s3:ListMultipartUploadParts*",
- "s3:DeleteObject",
- "s3:CreateMultipartUpload",
- "s3:AbortMultipartUpload",
- "s3:ListMultipartUploadParts",
- "s3:GetBucketLocation"
- ]
-
- resources = [
- aws_s3_bucket.carve_results_bucket.arn,
- "${aws_s3_bucket.carve_results_bucket.arn}/*"
- ]
- }
-
- statement {
- effect = "Allow"
- actions = [
- "kms:Decrypt",
- "kms:GenerateDataKey",
- "kms:Encrypt"
- ]
- resources = [aws_kms_key.s3_encryption_key.arn]
- }
-}
-
-data "aws_iam_policy_document" "assume_role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- identifiers = [var.fleet_iam_role_arn]
- type = "AWS"
- }
- dynamic "condition" {
- for_each = length(var.sts_external_id) > 0 ? [1] : []
- content {
- test = "StringEquals"
- variable = "sts:ExternalId"
- values = [var.sts_external_id]
- }
- }
- }
-}
-
-resource "aws_iam_role" "carve_s3_delegation_role" {
- assume_role_policy = data.aws_iam_policy_document.assume_role.json
-}
-
-# Attach the policy to the role
-resource "aws_iam_role_policy_attachment" "s3_access_attachment" {
- role = aws_iam_role.carve_s3_delegation_role.name
- policy_arn = aws_iam_policy.s3_access_policy.arn
-}
diff --git a/terraform/addons/byo-file-carving/target-account/variables.tf b/terraform/addons/byo-file-carving/target-account/variables.tf
deleted file mode 100644
index 91c716b7daba..000000000000
--- a/terraform/addons/byo-file-carving/target-account/variables.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-variable "bucket_name" {
- type = string
- description = "The name of the osquery carve results bucket"
-}
-
-variable "fleet_iam_role_arn" {
- type = string
- description = "The IAM role ARN of the Fleet service"
-}
-
-variable "sts_external_id" {
- type = string
- description = "Optional unique identifier that can be used by the principal assuming the role to assert its identity."
- default = ""
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/.header.md b/terraform/addons/byo-firehose-logging-destination/.header.md
deleted file mode 100644
index cd409454e323..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/.header.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# Logging Destination: Firehose
-This addon provides a Kinesis Firehose logging destination for Fleet.
-
-First apply the `target-account` module which will provision the necessary bucket, KMS key, and policies.
-
-Then apply the `firehose` module with the required variables.
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/README.md b/terraform/addons/byo-firehose-logging-destination/firehose/README.md
deleted file mode 100644
index 49bf993112a8..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/firehose/README.md
+++ /dev/null
@@ -1,41 +0,0 @@
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.7 |
-| [aws](#requirement\_aws) | >= 4.52.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 4.52.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_document.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [firehose\_audit\_name](#input\_firehose\_audit\_name) | name of the firehose delivery stream for fleet audit logs | `string` | n/a | yes |
-| [firehose\_results\_name](#input\_firehose\_results\_name) | name of the firehose delivery stream for osquery results logs | `string` | n/a | yes |
-| [firehose\_status\_name](#input\_firehose\_status\_name) | name of the firehose delivery stream for osquery status logs | `string` | n/a | yes |
-| [iam\_role\_arn](#input\_iam\_role\_arn) | IAM Role ARN to use for Firehose destination logging | `string` | n/a | yes |
-| [region](#input\_region) | region the target firehose delivery stream is in | `string` | n/a | yes |
-| [sts\_external\_id](#input\_sts\_external\_id) | Optional unique identifier that can be used by the principal assuming the role to assert its identity. | `string` | `""` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
-| [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/iam.tf b/terraform/addons/byo-firehose-logging-destination/firehose/iam.tf
deleted file mode 100644
index d394ab86ae6a..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/firehose/iam.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-data "aws_iam_policy_document" "fleet-assume-role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- resources = [var.iam_role_arn]
- }
-}
-
-resource "aws_iam_policy" "fleet-assume-role" {
- policy = data.aws_iam_policy_document.fleet-assume-role.json
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf b/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
deleted file mode 100644
index 506c48359b04..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-output "fleet_extra_environment_variables" {
- value = {
- FLEET_FIREHOSE_STATUS_STREAM = var.firehose_status_name
- FLEET_FIREHOSE_RESULT_STREAM = var.firehose_results_name
- FLEET_FIREHOSE_AUDIT_STREAM = var.firehose_audit_name
- FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN = var.iam_role_arn
- FLEET_FIREHOSE_STS_EXTERNAL_ID = var.sts_external_id
- FLEET_FIREHOSE_REGION = var.region
- FLEET_OSQUERY_STATUS_LOG_PLUGIN = length(var.firehose_status_name) > 0 ? "firehose" : ""
- FLEET_OSQUERY_RESULT_LOG_PLUGIN = length(var.firehose_results_name) > 0 ? "firehose" : ""
- FLEET_ACTIVITY_AUDIT_LOG_PLUGIN = length(var.firehose_audit_name) > 0 ? "firehose" : ""
- FLEET_ACTIVITY_ENABLE_AUDIT_LOG = length(var.firehose_audit_name) > 0 ? "true" : "false"
- }
-}
-
-output "fleet_extra_iam_policies" {
- value = [
- aws_iam_policy.fleet-assume-role.arn
- ]
-}
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf b/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
deleted file mode 100644
index 50bc040469a5..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
+++ /dev/null
@@ -1,30 +0,0 @@
-variable "iam_role_arn" {
- type = string
- description = "IAM Role ARN to use for Firehose destination logging"
-}
-
-variable "firehose_results_name" {
- type = string
- description = "name of the firehose delivery stream for osquery results logs"
-}
-
-variable "firehose_status_name" {
- type = string
- description = "name of the firehose delivery stream for osquery status logs"
-}
-
-variable "firehose_audit_name" {
- type = string
- description = "name of the firehose delivery stream for fleet audit logs"
-}
-
-variable "region" {
- type = string
- description = "region the target firehose delivery stream is in"
-}
-
-variable "sts_external_id" {
- type = string
- description = "Optional unique identifier that can be used by the principal assuming the role to assert its identity."
- default = ""
-}
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/version.tf b/terraform/addons/byo-firehose-logging-destination/firehose/version.tf
deleted file mode 100644
index 00143c571d72..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/firehose/version.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
- required_version = ">= 1.3.7"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 4.52.0"
- }
- }
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/.header.md b/terraform/addons/byo-firehose-logging-destination/target-account/.header.md
deleted file mode 100644
index e361e1aa6233..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/.header.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Firehose Logging Destination Setup
-
-In this Terraform code, we are defining an IAM Role named `fleet_role` in our AWS Account, that will be assumed by the Fleet application we are hosting. We are only allowing this specific IAM Role (identified by its ARN) to perform certain actions on the Firehose service, such as `DescribeDeliveryStream`, `PutRecord`, and `PutRecordBatch`.
-
-The reason we need a local IAM role in your account is so that we can assume role into it, and you have full control over the permissions it has. The associated IAM policy in the same file specifies the minimum allowed permissions.
-
-The Firehose service is KMS encrypted, so the IAM Role we assume into needs permission to the KMS key that is being used to encrypt the data going into Firehose. Additionally, if the data is being delivered to S3, it will also be encrypted with KMS using the AWS S3 KMS key that is managed by AWS. This is because only customer managed keys can be shared across accounts, and the Firehose delivery stream is actually the one writing to S3.
-
-This code sets up a secure and controlled environment for the Fleet application to perform its necessary actions on the Firehose service within your AWS Account.
-
-If you wanted to make changes to the individual files to fit your environment, feel free. However, it's recommended to use a module like the example below for simplicity.
-
-```
-module "firehose_logging" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-firehose-logging-destination/target-account"
-
- # Variables
- osquery_logging_destination_bucket_name = {your-desired-bucket-prefix}
- fleet_iam_role_arn = {supplied by Fleet}
- sts_external_id = {if using}
-}
-```
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/.terraform-docs.yml b/terraform/addons/byo-firehose-logging-destination/target-account/.terraform-docs.yml
deleted file mode 100644
index 1d139ddb401d..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/.terraform-docs.yml
+++ /dev/null
@@ -1 +0,0 @@
-header-from: .header.md
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/README.md b/terraform/addons/byo-firehose-logging-destination/target-account/README.md
deleted file mode 100644
index f378e24fafbf..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/README.md
+++ /dev/null
@@ -1,80 +0,0 @@
-# Firehose Logging Destination Setup
-
-In this Terraform code, we are defining an IAM Role named `fleet_role` in our AWS Account, that will be assumed by the Fleet application we are hosting. We are only allowing this specific IAM Role (identified by its ARN) to perform certain actions on the Firehose service, such as `DescribeDeliveryStream`, `PutRecord`, and `PutRecordBatch`.
-
-The reason we need a local IAM role in your account is so that we can assume role into it, and you have full control over the permissions it has. The associated IAM policy in the same file specifies the minimum allowed permissions.
-
-The Firehose service is KMS encrypted, so the IAM Role we assume into needs permission to the KMS key that is being used to encrypt the data going into Firehose. Additionally, if the data is being delivered to S3, it will also be encrypted with KMS using the AWS S3 KMS key that is managed by AWS. This is because only customer managed keys can be shared across accounts, and the Firehose delivery stream is actually the one writing to S3.
-
-This code sets up a secure and controlled environment for the Fleet application to perform its necessary actions on the Firehose service within your AWS Account.
-
-If you wanted to make changes to the individual files to fit your environment, feel free. However, it's recommended to use a module like the example below for simplicity.
-
-```
-module "firehose_logging" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-firehose-logging-destination/target-account"
-
- # Variables
- osquery_logging_destination_bucket_name = {your-desired-bucket-prefix}
- fleet_iam_role_arn = {supplied by Fleet}
- sts_external_id = {if using}
-}
-```
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.7 |
-| [aws](#requirement\_aws) | >= 5.29.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 5.29.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.fleet_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.fleet_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.fleet_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kinesis_firehose_delivery_stream.fleet_log_destinations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
-| [aws_kms_key.firehose_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_s3_bucket.destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_public_access_block.destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.firehose_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.osquery_firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_kms_alias.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [fleet\_iam\_role\_arn](#input\_fleet\_iam\_role\_arn) | the arn of the fleet role that firehose will assume to write data to your bucket | `string` | n/a | yes |
-| [kms\_key\_arn](#input\_kms\_key\_arn) | An optional KMS key ARN for server-side encryption. If not provided and encryption is enabled, a new key will be created. | `string` | `""` | no |
-| [log\_destinations](#input\_log\_destinations) | A map of configurations for Firehose delivery streams. |
map(object({ name = string prefix = string error_output_prefix = string buffering_size = number buffering_interval = number compression_format = string }))
| no |
-| [osquery\_logging\_destination\_bucket\_name](#input\_osquery\_logging\_destination\_bucket\_name) | name of the bucket to store osquery results & status logs | `string` | n/a | yes |
-| [server\_side\_encryption\_enabled](#input\_server\_side\_encryption\_enabled) | A boolean flag to enable/disable server-side encryption. Defaults to true (enabled). | `bool` | `true` | no |
-| [sts\_external\_id](#input\_sts\_external\_id) | Optional unique identifier that can be used by the principal assuming the role to assert its identity. | `string` | `""` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [firehose\_iam\_role](#output\_firehose\_iam\_role) | n/a |
-| [log\_destinations](#output\_log\_destinations) | Map of Firehose delivery streams' names. |
-| [s3\_destination](#output\_s3\_destination) | n/a |
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf b/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
deleted file mode 100644
index c4b45b7c2f40..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
+++ /dev/null
@@ -1,90 +0,0 @@
-data "aws_iam_policy_document" "osquery_firehose_assume_role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- identifiers = ["firehose.amazonaws.com"]
- type = "Service"
- }
- }
-}
-
-data "aws_iam_policy_document" "firehose_policy" {
- statement {
- effect = "Allow"
- actions = [
- "s3:AbortMultipartUpload",
- "s3:GetBucketLocation",
- "s3:GetObject",
- "s3:ListBucket",
- "s3:ListBucketMultipartUploads",
- "s3:PutObject",
- "s3:PutObjectAcl" // required according to https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
- ]
- resources = [
- aws_s3_bucket.destination.arn,
- "${aws_s3_bucket.destination.arn}/*",
- ]
- }
-
- statement {
- effect = "Allow"
- actions = ["logs:PutLogEvents"]
- resources = [
- for name in keys(var.log_destinations) : "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.log_destinations[name].name}:*"
- ]
- }
-
- statement {
- effect = "Allow"
- actions = [
- "kms:Decrypt",
- "kms:GenerateDataKey"
- ]
- resources = [data.aws_kms_alias.s3.arn]
- }
-
-}
-
-resource "aws_iam_role" "firehose" {
- assume_role_policy = data.aws_iam_policy_document.osquery_firehose_assume_role.json
-}
-
-resource "aws_iam_policy" "firehose" {
- policy = data.aws_iam_policy_document.firehose_policy.json
-}
-
-resource "aws_iam_role_policy_attachment" "firehose" {
- policy_arn = aws_iam_policy.firehose.arn
- role = aws_iam_role.firehose.name
-}
-
-resource "aws_kms_key" "firehose_key" {
- count = var.server_side_encryption_enabled && length(var.kms_key_arn) == 0 ? 1 : 0
- description = "KMS key for encrypting Firehose data."
-}
-
-resource "aws_kinesis_firehose_delivery_stream" "fleet_log_destinations" {
- for_each = var.log_destinations
- name = each.value.name
- destination = "extended_s3"
-
- dynamic "server_side_encryption" {
- for_each = var.server_side_encryption_enabled ? [1] : []
- content {
- enabled = var.server_side_encryption_enabled
- key_arn = length(var.kms_key_arn) > 0 ? var.kms_key_arn : aws_kms_key.firehose_key[0].arn
- key_type = "CUSTOMER_MANAGED_CMK"
- }
- }
-
- extended_s3_configuration {
- bucket_arn = aws_s3_bucket.destination.arn
- role_arn = aws_iam_role.firehose.arn
- prefix = each.value.prefix
- error_output_prefix = each.value.error_output_prefix
- buffering_size = each.value.buffering_size
- buffering_interval = each.value.buffering_interval
- compression_format = each.value.compression_format
- }
-}
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf b/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
deleted file mode 100644
index 8f17b0b527bd..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-resource "aws_iam_role" "fleet_role" {
- assume_role_policy = data.aws_iam_policy_document.assume_role.json
-}
-
-data "aws_iam_policy_document" "assume_role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- identifiers = [var.fleet_iam_role_arn]
- type = "AWS"
- }
- dynamic "condition" {
- for_each = length(var.sts_external_id) > 0 ? [1] : []
- content {
- test = "StringEquals"
- variable = "sts:ExternalId"
- values = [var.sts_external_id]
- }
- }
- }
-}
-
-data "aws_iam_policy_document" "firehose" {
- statement {
- effect = "Allow"
- actions = [
- "firehose:DescribeDeliveryStream",
- "firehose:PutRecord",
- "firehose:PutRecordBatch",
- ]
- resources = [
- for stream in aws_kinesis_firehose_delivery_stream.fleet_log_destinations : stream.arn
- ]
- }
-
- dynamic "statement" {
- for_each = var.server_side_encryption_enabled ? [1] : []
-
- content {
- effect = "Allow"
- actions = [
- "kms:Decrypt",
- "kms:GenerateDataKey",
- ]
- resources = [
- length(var.kms_key_arn) > 0 ? var.kms_key_arn : aws_kms_key.firehose_key[0].arn
- ]
- }
- }
-
-}
-
-resource "aws_iam_policy" "fleet_firehose" {
- policy = data.aws_iam_policy_document.firehose.json
-}
-
-resource "aws_iam_role_policy_attachment" "fleet_firehose" {
- policy_arn = aws_iam_policy.fleet_firehose.arn
- role = aws_iam_role.fleet_role.name
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/outputs.tf b/terraform/addons/byo-firehose-logging-destination/target-account/outputs.tf
deleted file mode 100644
index 97351d082365..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/outputs.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-output "firehose_iam_role" {
- value = aws_iam_role.fleet_role.arn
-}
-
-output "s3_destination" {
- value = aws_s3_bucket.destination.arn
-}
-
-output "log_destinations" {
- description = "Map of Firehose delivery streams' names."
- value = { for key, stream in aws_kinesis_firehose_delivery_stream.fleet_log_destinations : key => stream.name }
-}
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf b/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
deleted file mode 100644
index dafe961e555e..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-data "aws_region" "current" {}
-data "aws_caller_identity" "current" {}
-data "aws_kms_alias" "s3" {
- name = "alias/aws/s3"
-}
-
-resource "aws_s3_bucket" "destination" {
- bucket = var.osquery_logging_destination_bucket_name
-}
-
-resource "aws_s3_bucket_public_access_block" "destination" {
- bucket = aws_s3_bucket.destination.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
-}
-
-// Objects in S3 are now encrypted by default https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/
-// If you need more granular control, use a customer managed KMS Key
-resource "aws_s3_bucket_server_side_encryption_configuration" "destination" {
- bucket = aws_s3_bucket.destination.id
- rule {
- bucket_key_enabled = true
- apply_server_side_encryption_by_default {
- sse_algorithm = "aws:kms"
- }
- }
-}
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf b/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
deleted file mode 100644
index c44c28cf025d..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
+++ /dev/null
@@ -1,65 +0,0 @@
-variable "osquery_logging_destination_bucket_name" {
- type = string
- description = "name of the bucket to store osquery results & status logs"
-}
-
-variable "fleet_iam_role_arn" {
- type = string
- description = "The ARN of the IAM role that will be assumed to gain permissions required to write to the Kinesis Firehose delivery stream."
-}
-
-variable "sts_external_id" {
- type = string
- description = "Optional unique identifier that can be used by the principal assuming the role to assert its identity."
- default = ""
-}
-
-variable "log_destinations" {
- description = "A map of configurations for Firehose delivery streams."
- type = map(object({
- name = string
- prefix = string
- error_output_prefix = string
- buffering_size = number
- buffering_interval = number
- compression_format = string
- }))
- default = {
- results = {
- name = "osquery_results"
- prefix = "results/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- error_output_prefix = "results/error/error=!{firehose:error-output-type}/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- buffering_size = 20
- buffering_interval = 120
- compression_format = "UNCOMPRESSED"
- },
- status = {
- name = "osquery_status"
- prefix = "status/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- error_output_prefix = "status/error/error=!{firehose:error-output-type}/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- buffering_size = 20
- buffering_interval = 120
- compression_format = "UNCOMPRESSED"
- },
- audit = {
- name = "fleet_audit"
- prefix = "audit/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- error_output_prefix = "audit/error/error=!{firehose:error-output-type}/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/"
- buffering_size = 20
- buffering_interval = 120
- compression_format = "UNCOMPRESSED"
- }
- }
-}
-
-variable "server_side_encryption_enabled" {
- description = "A boolean flag to enable/disable server-side encryption. Defaults to true (enabled)."
- type = bool
- default = true
-}
-
-variable "kms_key_arn" {
- description = "An optional KMS key ARN for server-side encryption. If not provided and encryption is enabled, a new key will be created."
- type = string
- default = ""
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/version.tf b/terraform/addons/byo-firehose-logging-destination/target-account/version.tf
deleted file mode 100644
index 529d9d07acce..000000000000
--- a/terraform/addons/byo-firehose-logging-destination/target-account/version.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
- required_version = ">= 1.3.7"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 5.29.0"
- }
- }
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-kinesis-logging-destination/.header.md b/terraform/addons/byo-kinesis-logging-destination/.header.md
deleted file mode 100644
index e29d62d1cf2b..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/.header.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# Logging Destination: Kinesis
-This addon provides a Kinesis Data Stream logging destination for Fleet.
-
-First apply the `target-account` module which will provision the necessary data streams, KMS key, and policies.
-
-Then apply the `kinesis` module with the required variables.
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/.header.md b/terraform/addons/byo-kinesis-logging-destination/kinesis/.header.md
deleted file mode 100644
index 441c86e5ed7e..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/.header.md
+++ /dev/null
@@ -1,28 +0,0 @@
-# Kinesis Data Stream Logging Destination Setup
-
-## Usage
-
-After `./target-account` module is applied you might use this module in the following manner:
-
-```hcl
-module "kinesis" {
- source = "../../../../fleet/terraform/addons/byo-kinesis-logging-destination/kinesis"
- kinesis_results_name = "testing-log-stream"
- kinesis_status_name = "testing-log-stream"
- kinesis_audit_name = "testing-log-stream"
- iam_role_arn = "arn:aws:iam::123456789:role/terraform-20240524165353382600000001"
- region = "us-east-2"
-}
-```
-
-And then supply the outputs to the `fleet_config` definition:
-```hcl
-fleet_config = {
- image = local.fleet_image
- extra_iam_policies = concat(module.kinesis.fleet_extra_iam_policies)
- extra_environment_variables = merge(
- local.extra_environment_variables,
- module.kinesis.fleet_extra_environment_variables,
- )
- }
-```
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/.terraform-docs.yml b/terraform/addons/byo-kinesis-logging-destination/kinesis/.terraform-docs.yml
deleted file mode 100644
index 1d139ddb401d..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/.terraform-docs.yml
+++ /dev/null
@@ -1 +0,0 @@
-header-from: .header.md
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/README.md b/terraform/addons/byo-kinesis-logging-destination/kinesis/README.md
deleted file mode 100644
index 2eedf9bc92b3..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/README.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# Kinesis Data Stream Logging Destination Setup
-
-## Usage
-
-After `./target-account` module is applied you might use this module in the following manner:
-
-```hcl
-module "kinesis" {
- source = "../../../../fleet/terraform/addons/byo-kinesis-logging-destination/kinesis"
- kinesis_results_name = "testing-log-stream"
- kinesis_status_name = "testing-log-stream"
- kinesis_audit_name = "testing-log-stream"
- iam_role_arn = "arn:aws:iam::123456789:role/terraform-20240524165353382600000001"
- region = "us-east-2"
-}
-```
-
-And then supply the outputs to the `fleet_config` definition:
-```hcl
-fleet_config = {
- image = local.fleet_image
- extra_iam_policies = concat(module.kinesis.fleet_extra_iam_policies)
- extra_environment_variables = merge(
- local.extra_environment_variables,
- module.kinesis.fleet_extra_environment_variables,
- )
- }
-```
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.7 |
-| [aws](#requirement\_aws) | >= 4.52.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 4.52.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_document.fleet-assume-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [iam\_role\_arn](#input\_iam\_role\_arn) | IAM Role ARN to use for Kinesis destination logging | `string` | n/a | yes |
-| [kinesis\_audit\_name](#input\_kinesis\_audit\_name) | name of the kinesis data stream for fleet audit logs | `string` | n/a | yes |
-| [kinesis\_results\_name](#input\_kinesis\_results\_name) | name of the kinesis data stream for osquery results logs | `string` | n/a | yes |
-| [kinesis\_status\_name](#input\_kinesis\_status\_name) | name of the kinesis data stream for osquery status logs | `string` | n/a | yes |
-| [region](#input\_region) | region the target kinesis data stream(s) is in | `string` | n/a | yes |
-| [sts\_external\_id](#input\_sts\_external\_id) | Optional unique identifier that can be used by the principal assuming the role to assert its identity. | `string` | `""` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
-| [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/iam.tf b/terraform/addons/byo-kinesis-logging-destination/kinesis/iam.tf
deleted file mode 100644
index d394ab86ae6a..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/iam.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-data "aws_iam_policy_document" "fleet-assume-role" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- resources = [var.iam_role_arn]
- }
-}
-
-resource "aws_iam_policy" "fleet-assume-role" {
- policy = data.aws_iam_policy_document.fleet-assume-role.json
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/outputs.tf b/terraform/addons/byo-kinesis-logging-destination/kinesis/outputs.tf
deleted file mode 100644
index 35c76726da39..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/outputs.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-output "fleet_extra_environment_variables" {
- value = {
- FLEET_KINESIS_STATUS_STREAM = var.kinesis_status_name
- FLEET_KINESIS_RESULT_STREAM = var.kinesis_results_name
- FLEET_KINESIS_AUDIT_STREAM = var.kinesis_audit_name
- FLEET_KINESIS_STS_ASSUME_ROLE_ARN = var.iam_role_arn
- FLEET_KINESIS_STS_EXTERNAL_ID = var.sts_external_id
- FLEET_KINESIS_REGION = var.region
- FLEET_OSQUERY_STATUS_LOG_PLUGIN = length(var.kinesis_status_name) > 0 ? "kinesis" : ""
- FLEET_OSQUERY_RESULT_LOG_PLUGIN = length(var.kinesis_results_name) > 0 ? "kinesis" : ""
- FLEET_ACTIVITY_AUDIT_LOG_PLUGIN = length(var.kinesis_audit_name) > 0 ? "kinesis" : ""
- FLEET_ACTIVITY_ENABLE_AUDIT_LOG = length(var.kinesis_audit_name) > 0 ? "true" : "false"
- }
-}
-
-output "fleet_extra_iam_policies" {
- value = [
- aws_iam_policy.fleet-assume-role.arn
- ]
-}
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/variables.tf b/terraform/addons/byo-kinesis-logging-destination/kinesis/variables.tf
deleted file mode 100644
index c1c1df3051fc..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/variables.tf
+++ /dev/null
@@ -1,30 +0,0 @@
-variable "iam_role_arn" {
- type = string
- description = "IAM Role ARN to use for Kinesis destination logging"
-}
-
-variable "kinesis_results_name" {
- type = string
- description = "name of the kinesis data stream for osquery results logs"
-}
-
-variable "kinesis_status_name" {
- type = string
- description = "name of the kinesis data stream for osquery status logs"
-}
-
-variable "kinesis_audit_name" {
- type = string
- description = "name of the kinesis data stream for fleet audit logs"
-}
-
-variable "region" {
- type = string
- description = "region the target kinesis data stream(s) is in"
-}
-
-variable "sts_external_id" {
- type = string
- description = "Optional unique identifier that can be used by the principal assuming the role to assert its identity."
- default = ""
-}
diff --git a/terraform/addons/byo-kinesis-logging-destination/kinesis/version.tf b/terraform/addons/byo-kinesis-logging-destination/kinesis/version.tf
deleted file mode 100644
index 529d9d07acce..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/kinesis/version.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
- required_version = ">= 1.3.7"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 5.29.0"
- }
- }
-}
\ No newline at end of file
diff --git a/terraform/addons/byo-kinesis-logging-destination/target-account/.header.md b/terraform/addons/byo-kinesis-logging-destination/target-account/.header.md
deleted file mode 100644
index 478b757f0903..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/target-account/.header.md
+++ /dev/null
@@ -1,83 +0,0 @@
-# Kinesis Data Stream Logging Destination Setup
-
-## How to use
-
-Below is an example of defining the module to use a single Kinesis Data Stream for all log types (results, status, and audit):
-```hcl
-module "kinesis" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-kinesis-logging-destination/target-account"
-
- fleet_iam_role_arn = "arn:aws:iam::123456789:role/fleet-server-role" # this is the ARN of the IAM (ECS-task) role the fleet servers are running as
- log_destinations = {
- test = {
- name = "unified-log-stream"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- }
-}
-
-output "kinesis_logging_destination" {
- value = module.kinesis
-}
-```
-
-If you desired a Kinesis Data Stream per "topic":
-```hcl
-module "kinesis" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-kinesis-logging-destination/target-account"
-
- fleet_iam_role_arn = "arn:aws:iam::123456789:role/fleet-server-role" # this is the ARN of the IAM (ECS-task) role the fleet servers are running as
- log_destinations = {
- results = {
- name = "osquery-results"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- status = {
- name = "osquery-status"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- audit = {
- name = "fleet-audit"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- }
-}
-
-output "kinesis_logging_destination" {
- value = module.kinesis
-}
-```
-
-1. **Variables:**
- - `fleet_iam_role_arn`: A string variable that holds the ARN of the IAM role which will assume the role defined in this module to gain permissions for writing to the Kinesis Data Streams.
- - `sts_external_id`: An optional string variable that can be used as a unique identifier for the principal assuming the role to assert its identity. Default is an empty string.
- - `log_destinations`: A map variable that contains configurations for multiple Kinesis Data Streams. Each stream configuration includes its name, shard count, stream mode, retention period, and shard-level metrics. Default values are provided for three streams: `osquery_results`, `osquery_status`, and `fleet_audit`.
-
-2. **IAM Role:**
- - `aws_iam_role.fleet_role`: Creates an IAM role with a trust policy that allows the specified IAM role ARN (`fleet_iam_role_arn`) to assume this role. If `sts_external_id` is provided, it adds a condition to the trust policy to require this external ID for the assume role operation.
-
-3. **IAM Policy Documents:**
- - `data.aws_iam_policy_document.assume_role`: Defines the assume role policy for the IAM role. It allows the specified actions (`sts:AssumeRole`) for the specified principals.
- - `data.aws_iam_policy_document.kinesis`: Defines the policy document allowing the IAM role to perform Kinesis and KMS actions. It allows the IAM role to describe, put records into the Kinesis streams (defined in `log_destinations`), and use KMS keys for encryption.
-
-4. **IAM Policy and Attachment:**
- - `aws_iam_policy.fleet_kinesis`: Creates an IAM policy using the defined policy document (`data.aws_iam_policy_document.kinesis`).
- - `aws_iam_role_policy_attachment.fleet_kinesis`: Attaches the created IAM policy to the IAM role (`aws_iam_role.fleet_role`).
-
-5. **KMS Key:**
- - `aws_kms_key.kinesis_key`: Creates a KMS key for encrypting the Kinesis Data Streams.
-
-6. **Kinesis Data Streams:**
- - `aws_kinesis_stream.fleet_log_destination`: Provisions Kinesis Data Streams based on the configurations defined in `log_destinations`. Each stream is created with the specified name, encryption type (using the KMS key), shard-level metrics, shard count (if the stream mode is not "ON_DEMAND"), and stream mode.
diff --git a/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform-docs.yml b/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform-docs.yml
deleted file mode 100644
index 1d139ddb401d..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform-docs.yml
+++ /dev/null
@@ -1 +0,0 @@
-header-from: .header.md
diff --git a/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform.lock.hcl b/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform.lock.hcl
deleted file mode 100644
index d5b523dfe59c..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/target-account/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
- version = "5.51.0"
- constraints = ">= 5.29.0"
- hashes = [
- "h1:AUyje9jt9NYDbdFJwxLYtMEodb3PZptGsftpuB0xSgQ=",
- "zh:049a4292dbf6afc2445d9fc796258ae33a989fd9a68b84f6e51c42c46dc2e45d",
- "zh:0c1cd2d0e58727afe037d4ba0daeac0be3e0076d971ffa019cd4a03e1e8e7d50",
- "zh:16ac968deddd08bd0e164532bfa961ef27785cb7beb57373637fb54eebbcef4f",
- "zh:1740a6393e48a7ee357f53ac75025bb7eb56e21887cd28fbd996bb7c405fad85",
- "zh:1e6667f3fca893cb3d333027f15e5965e45b29343a23b4d84ee787d2af732fc2",
- "zh:543c8b780051623cb3a8558d9ed1f2ee51a801f839777a8f97e854e0b67e745e",
- "zh:784d7e1791c75e10ff457ff75836bb3230b63c72f41cd63dc021381984661820",
- "zh:857b37528e40a0ffe4f06ce9580bc4f88209bb9a0864f482c898ce8494b7347f",
- "zh:94d15a0f4662a04c88cba1ba2710aed506331b47aaad36f36734fcba64d64294",
- "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:ba78a03cdc2bf56f48c19e2a37930f4bb8dfe818fc21f039fb785a22221d1fcf",
- "zh:c9681a67ba51540905031063217fd8e48888c5ed3c9394d571d7d7ee333a5fbd",
- "zh:d5d15bae5357854bd8df7490628ca949ef4c61481d3f4c3c535b0142261f93e4",
- "zh:d96b28f58af08ab4d9057611e612634e96cafacaacf481dc08caf4dff06bbeee",
- "zh:ed7652b4da81f2e7efe4821460aa77ba811e94afb4ef02afe067c1f166ee37d1",
- ]
-}
diff --git a/terraform/addons/byo-kinesis-logging-destination/target-account/README.md b/terraform/addons/byo-kinesis-logging-destination/target-account/README.md
deleted file mode 100644
index e54c0b4f4ea4..000000000000
--- a/terraform/addons/byo-kinesis-logging-destination/target-account/README.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# Kinesis Data Stream Logging Destination Setup
-
-## How to use
-
-Below is an example of defining the module to use a single Kinesis Data Stream for all log types (results, status, and audit):
-```hcl
-module "kinesis" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-kinesis-logging-destination/target-account"
-
- fleet_iam_role_arn = "arn:aws:iam::123456789:role/fleet-server-role" # this is the ARN of the IAM (ECS-task) role the fleet servers are running as
- log_destinations = {
- test = {
- name = "unified-log-stream"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- }
-}
-
-output "kinesis_logging_destination" {
- value = module.kinesis
-}
-```
-
-If you desired a Kinesis Data Stream per "topic":
-```hcl
-module "kinesis" {
- source = "github.com/fleetdm/fleet//terraform/addons/byo-kinesis-logging-destination/target-account"
-
- fleet_iam_role_arn = "arn:aws:iam::123456789:role/fleet-server-role" # this is the ARN of the IAM (ECS-task) role the fleet servers are running as
- log_destinations = {
- results = {
- name = "osquery-results"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- status = {
- name = "osquery-status"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- audit = {
- name = "fleet-audit"
- shard_count = 0 # shard count only matters if `stream_mode` is `PROVISIONED`
- stream_mode = "ON_DEMAND" # valid values are `ON_DEMAND` or `PROVISIONED`
- retention_period = 24 # number of hours you want the data to be retained on the stream
- shard_level_metrics = [] # IncomingBytes IncomingRecords OutgoingBytes OutgoingRecords WriteProvisionedThroughputExceeded ReadProvisionedThroughputExceeded IteratorAgeMilliseconds
- }
- }
-}
-
-output "kinesis_logging_destination" {
- value = module.kinesis
-}
-```
-
-1. **Variables:**
- - `fleet_iam_role_arn`: A string variable that holds the ARN of the IAM role which will assume the role defined in this module to gain permissions for writing to the Kinesis Data Streams.
- - `sts_external_id`: An optional string variable that can be used as a unique identifier for the principal assuming the role to assert its identity. Default is an empty string.
- - `log_destinations`: A map variable that contains configurations for multiple Kinesis Data Streams. Each stream configuration includes its name, shard count, stream mode, retention period, and shard-level metrics. Default values are provided for three streams: `osquery_results`, `osquery_status`, and `fleet_audit`.
-
-2. **IAM Role:**
- - `aws_iam_role.fleet_role`: Creates an IAM role with a trust policy that allows the specified IAM role ARN (`fleet_iam_role_arn`) to assume this role. If `sts_external_id` is provided, it adds a condition to the trust policy to require this external ID for the assume role operation.
-
-3. **IAM Policy Documents:**
- - `data.aws_iam_policy_document.assume_role`: Defines the assume role policy for the IAM role. It allows the specified actions (`sts:AssumeRole`) for the specified principals.
- - `data.aws_iam_policy_document.kinesis`: Defines the policy document allowing the IAM role to perform Kinesis and KMS actions. It allows the IAM role to describe, put records into the Kinesis streams (defined in `log_destinations`), and use KMS keys for encryption.
-
-4. **IAM Policy and Attachment:**
- - `aws_iam_policy.fleet_kinesis`: Creates an IAM policy using the defined policy document (`data.aws_iam_policy_document.kinesis`).
- - `aws_iam_role_policy_attachment.fleet_kinesis`: Attaches the created IAM policy to the IAM role (`aws_iam_role.fleet_role`).
-
-5. **KMS Key:**
- - `aws_kms_key.kinesis_key`: Creates a KMS key for encrypting the Kinesis Data Streams.
-
-6. **Kinesis Data Streams:**
- - `aws_kinesis_stream.fleet_log_destination`: Provisions Kinesis Data Streams based on the configurations defined in `log_destinations`. Each stream is created with the specified name, encryption type (using the KMS key), shard-level metrics, shard count (if the stream mode is not "ON\_DEMAND"), and stream mode.
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.7 |
-| [aws](#requirement\_aws) | >= 5.29.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | 5.51.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.fleet_kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.fleet_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.fleet_kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kinesis_stream.fleet_log_destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource |
-| [aws_kms_key.kinesis_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [fleet\_iam\_role\_arn](#input\_fleet\_iam\_role\_arn) | The ARN of the IAM role that will be assuming into the IAM role defined in this module to gain permissions required to write to the Kinesis Data Stream(s). | `string` | n/a | yes |
-| [log\_destinations](#input\_log\_destinations) | A map of configurations for Kinesis data streams. |
map(object({ name = string shard_count = number stream_mode = string retention_period = number shard_level_metrics = list(string) }))
| no |
-| [fleet\_config](#input\_fleet\_config) | The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. |
| no |
-| [fleet\_config](#input\_fleet\_config) | The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. |